<?php


namespace app\common;

class Controller extends \think\Controller
{
	public $input;
	public function __construct(\think\App $app = null)
	{
		parent::__construct($app);
		$this->input = input();
		if (!defined("shuanq")) {
			define("shuanq", time());
			try {
				$cross_domain_config = server\ConfigServer::get("cross_domain", "", []);
				if (!empty($cross_domain_config["origin_rule"])) {
					header("Access-Control-Allow-Origin:*");
				} else {
					$origin = $_SERVER["HTTP_ORIGIN"] ?? "";
					if (!empty($cross_domain_config["open"]) && $origin) {
						$allow_origin = $cross_domain_config["allow_origin"];
						foreach ($allow_origin as $allow_origin_item) {
							if ($allow_origin_item["host"] == $origin && !empty($allow_origin_item["open"])) {
								header("Access-Control-Allow-Origin:" . $origin);
							}
						}
					}
				}
			} catch (\Exception $e) {
			}
			$webscan_switch = 1;
			$webscan_post = 1;
			$webscan_get = 1;
			$webscan_cookie = 1;
			$webscan_referre = 1;
			$getfilter = "\\<.+javascript:window\\[.{1}\\\\x|<.*=(&#\\d+?;?)+?>|<.*(data|src)=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\\s*?\\(.*\\)|sleep\\s*?\\(.*\\)|\\b(group_)?concat[\\s\\/\\*]*?\\([^\\)]+?\\)|\\bcase[\\s\\/\\*]*?when[\\s\\/\\*]*?\\([^\\)]+?\\)|load_file\\s*?\\()|<[a-z]+?\\b[^>]*?\\bon([a-z]{4,})\\s*?=|^\\+\\/v(8|9)|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\\s+?[\\w]+?\\s+?\\bin\\b\\s*?\\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT\\s*(\\(.+\\)\\s*|@{1,2}.+?\\s*|\\s+?.+?|(`|'|\").*?(`|'|\")\\s*)|UPDATE\\s*(\\(.+\\)\\s*|@{1,2}.+?\\s*|\\s+?.+?|(`|'|\").*?(`|'|\")\\s*)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\\(.+\\)|\\s+?.+?\\s+?|(`|'|\").*?(`|'|\"))FROM(\\(.+\\)|\\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)|<.*(iframe|frame|style|embed|object|frameset|meta|xml)";
			$postfilter = "<.*=(&#\\d+?;?)+?>|<.*data=data:text\\/html.*>|\\b(alert\\(|confirm\\(|expression\\(|prompt\\(|benchmark\\s*?\\(.*\\)|sleep\\s*?\\(.*\\)|\\b(group_)?concat[\\s\\/\\*]*?\\([^\\)]+?\\)|\\bcase[\\s\\/\\*]*?when[\\s\\/\\*]*?\\([^\\)]+?\\)|load_file\\s*?\\()|<[^>]*?\\b(onerror|onmousemove|onload|onclick|onmouseover)\\b|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\\s+?[\\w]+?\\s+?\\bin\\b\\s*?\\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT\\s*(\\(.+\\)\\s*|@{1,2}.+?\\s*|\\s+?.+?|(`|'|\").*?(`|'|\")\\s*)|UPDATE\\s*(\\(.+\\)\\s*|@{1,2}.+?\\s*|\\s+?.+?|(`|'|\").*?(`|'|\")\\s*)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)(\\(.+\\)|\\s+?.+?\\s+?|(`|'|\").*?(`|'|\"))FROM(\\(.+\\)|\\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)|<.*(iframe|frame|style|embed|object|frameset|meta|xml)";
			$cookiefilter = "benchmark\\s*?\\(.*\\)|sleep\\s*?\\(.*\\)|load_file\\s*?\\(|\\b(and|or)\\b\\s*?([\\(\\)'\"\\d]+?=[\\(\\)'\"\\d]+?|[\\(\\)'\"a-zA-Z]+?=[\\(\\)'\"a-zA-Z]+?|>|<|\\s+?[\\w]+?\\s+?\\bin\\b\\s*?\\(|\\blike\\b\\s+?[\"'])|\\/\\*.*\\*\\/|<\\s*script\\b|\\bEXEC\\b|UNION.+?SELECT\\s*(\\(.+\\)\\s*|@{1,2}.+?\\s*|\\s+?.+?|(`|'|\").*?(`|'|\")\\s*)|UPDATE\\s*(\\(.+\\)\\s*|@{1,2}.+?\\s*|\\s+?.+?|(`|'|\").*?(`|'|\")\\s*)SET|INSERT\\s+INTO.+?VALUES|(SELECT|DELETE)@{0,2}(\\(.+\\)|\\s+?.+?\\s+?|(`|'|\").*?(`|'|\"))FROM(\\(.+\\)|\\s+?.+?|(`|'|\").*?(`|'|\"))|(CREATE|ALTER|DROP|TRUNCATE)\\s+(TABLE|DATABASE)";
			$webscan_referer = empty($_SERVER["HTTP_REFERER"]) ? [] : ["HTTP_REFERER" => $_SERVER["HTTP_REFERER"]];
			if (!function_exists("webscan_slog")) {
				function webscan_slog($logs)
				{
					return true;
				}
			}
			if (!function_exists("webscan_arr_foreach")) {
				function webscan_arr_foreach($arr)
				{
					static $str;
					static $keystr;
					if (!is_array($arr)) {
						return $arr;
					}
					foreach ($arr as $key => $val) {
						$keystr = $keystr . $key;
						if (is_array($val)) {
							webscan_arr_foreach($val);
						} else {
							$str[] = $val . $keystr;
						}
					}
					if (!$str) {
						return $str;
					}
					return implode($str);
				}
			}
			if (!function_exists("webscan_pape")) {
				function webscan_pape()
				{
					exit(json_encode(["code" => -1, "msg" => "输入内容存在危险字符，安全起见，已被本站拦截"], JSON_UNESCAPED_UNICODE));
					$pape = "<html>
<head>
<meta http-equiv=\"content-type\" content=\"text/html;charset=utf-8\"/>
<title>输入内容存在危险字符，安全起见，已被本站拦截</title>
<style>
body, h1, h2, p,dl,dd,dt{margin: 0;padding: 0;font: 12px/1.5 微软雅黑,tahoma,arial;}
body{background:#efefef;}
h1, h2, h3, h4, h5, h6 {font-size: 100%;cursor:default;}
ul, ol {list-style: none outside none;}
a {text-decoration: none;color:#447BC4}
a:hover {text-decoration: underline;}
.ip-attack{width:600px; margin:200px auto 0;}
.ip-attack dl{ background:#fff; padding:30px; border-radius:10px;border: 1px solid #CDCDCD;-webkit-box-shadow: 0 0 8px #CDCDCD;-moz-box-shadow: 0 0 8px #cdcdcd;box-shadow: 0 0 8px #CDCDCD;}
.ip-attack dt{text-align:center;}
.ip-attack dd{font-size:16px; color:#333; text-align:center;}
.tips{text-align:center; font-size:14px; line-height:50px; color:#999;}
</style>
</head>
<body>
<div class=\"ip-attack\">
<dl>
<dt><img  src='http://p2.qhimg.com/t016dd70ac04d942b1b.png' /></dt>
<dt><a href=\"javascript:history.go(-1)\">返回上一页</a></dt>
</dl>
</div>
</body>
</html>";
					echo $pape;
					exit;
				}
			}
			if (!function_exists("webscan_StopAttack")) {
				function webscan_StopAttack($StrFiltKey, $StrFiltValue, $ArrFiltReq, $method)
				{
					$StrFiltValue = webscan_arr_foreach($StrFiltValue);
					if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltValue) == 1) {
						webscan_slog(["ip" => $_SERVER["REMOTE_ADDR"], "time" => strftime("%Y-%m-%d %H:%M:%S"), "page" => $_SERVER["PHP_SELF"], "method" => $method, "rkey" => $StrFiltKey, "rdata" => $StrFiltValue, "user_agent" => $_SERVER["HTTP_USER_AGENT"], "request_url" => $_SERVER["REQUEST_URI"]]);
						exit(webscan_pape());
					}
					if (preg_match("/" . $ArrFiltReq . "/is", $StrFiltKey) == 1) {
						webscan_slog(["ip" => $_SERVER["REMOTE_ADDR"], "time" => strftime("%Y-%m-%d %H:%M:%S"), "page" => $_SERVER["PHP_SELF"], "method" => $method, "rkey" => $StrFiltKey, "rdata" => $StrFiltKey, "user_agent" => $_SERVER["HTTP_USER_AGENT"], "request_url" => $_SERVER["REQUEST_URI"]]);
						exit(webscan_pape());
					}
				}
			}
			$module_controller_action = parseUnderline(request()->module()) . "/" . parseUnderline(request()->controller()) . "/" . request()->action();
			$ApiWhiteList = ["system/version/edit", "system/version/add", "system/variable/edit", "system/variable/add"];
			if ($webscan_switch && !in_array($module_controller_action, $ApiWhiteList)) {
				if ($webscan_get) {
					foreach (input() as $key => $value) {
						webscan_StopAttack($key, $value, $getfilter, "GET");
					}
				}
				if ($webscan_post) {
					foreach (input() as $key => $value) {
						webscan_StopAttack($key, $value, $postfilter, "POST");
					}
				}
				if ($webscan_cookie) {
					foreach (input("cookie.") as $key => $value) {
						webscan_StopAttack($key, $value, $cookiefilter, "COOKIE");
					}
				}
				if ($webscan_referre) {
					foreach ($webscan_referer as $key => $value) {
						webscan_StopAttack($key, $value, $postfilter, "REFERRER");
					}
				}
			}
		}
	}
}